Postgres: no password / trusted host configuration
Even when you have a trusted host, it is strongly recommended not to accept connections without authentication. The reason is simple: one day a trusted host, another day -- a compromised host.
In order to create barriers and bulkheads that will reduce risk, create a natural overhead and give enough time to response teams to roll in, there should not be any "blind trust" in your network and all services and connections should hold a good degree of authenticity: this means authentication and authorization.
From the documentation:
"The trust method allows any user from the defined host to connect to a PostgreSQL database without the use of a password, as any PostgreSQL user. You are trusting the host-based authentication with the use of this method, and any user on the specified host. This is a dangerous condition if the specified host is not a secure machine, or provides access to users unknown to you."
Problem
In pg_hba.conf
, locate trust
:
host all 192.168.1.10 255.255.255.255 trust
Fix
In pg_hba.conf
, use some other method of trust:
host all 192.168.1.10 255.255.255.255 crypt
See
Updated over 1 year ago